A MAJOR loophole in mobile payment systems has been discovered by researchers from the Chinese University of Hong Kong, who made their findings public yesterday.
The discovery was made by the System Security Lab led by Professor Kehuan Zhang from the university’s computer science and engineering department, which analyzed various major mobile payment systems for security vulnerabilities.
In mobile payment transactions, the key to communications between the payer and payee is a payment token issued by the payment service provider to verify the payment.
Some of the most widely adopted forms of transmitting these tokens include Near-Field Communication, Quick Response code scans and Magnetic Secure Transmission.
According to Zhang, whose team has spent two years conducting an in-depth study into these payment systems, apart from NFC, the formats support one-way communication only.
In other words, if the transaction fails, the payee’s device is unable to notify the payer and cancel or reclaim the token already issued, a loophole that an active adversary can exploit.
In regard to QR code scanning, a popular format of token verification, the study has revealed that a malicious device is able to sniff the token from the payee’s screen from afar and spend it on a different transaction.
As for MST function uniquely used by Samsung Pay, payers are required to place their handsets within a 7.5 centimeter distance of the payees’ POS (point of sale) for identification.
But after a series of tests, the team discovered that the magnetic signals can be picked up from 2 meters away. A criminal in a supermarket queue could seize the opportunity to attack and steal the token.
The team has notified relevant third party payment platforms and Zhang reminded mobile payment users to stay alert and avoid downloading mobile apps from unknown sources.
The result of the study was also released at the 26th USENIX Security Symposium, an annual academic conference on Internet security, held last month in Vancouver, Canada.